Closed Bug 535628 Opened 16 years ago Closed 12 years ago

Please add additional information on the phishing warning message in order not to criminalize the victims of hacker assaults.

Categories

(Toolkit :: Safe Browsing, enhancement)

Product:
Toolkit
Component:
Safe Browsing
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: wolfgang, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729) My webpage had been hacked, but I removed the malware. Nonetheless, Google took the address on its phishing list, where it was removed some days later. All this time, Firefox showed a warning message, that suggested, that the site was harmful. It looked like I was trying to spy on my customers, even when the thread was already removed and though I myself was the victim of an assault. Please add additional information on the phishing warning page: 1.) Note, that the site might have been hacked, and that the owner not necessarily is the bad guy. 2.) Note, that the message is due to an information of google and that google is not necessarily right. Reproducible: Always
That sounds like a pretty reasonable request. I think the UI might be bound to some guidelines. They are here: http://code.google.com/apis/safebrowsing/developers_guide.html#AcceptableUsage Anyone on the Google safe browsing team care to comment?
> That sounds like a pretty reasonable request. This isn't as cut and dried as we'd like it to be. The first thing I'd point out is that operating a web site, particularly a commercial one, carries a certain security responsibility with it. The prevalence of point-and-click storefronts these days doesn't excuse vendors from the responsibility for, or consequences of, security planning. I'll also assert that keeping the language on our warning pages extremely short is essential - we should be treating it as though every additional sentence cuts the number of people who will read it by 50%, effectively. I'm serious here, weigh the win of this change against the loss of 50% of Firefox users actually reading the content. Having said all that, I'm sympathetic. The owner of a hacked shop is a victim, here as well. They have much more control over it than their customers do, but nevertheless, they have been victimized as well. That's why the warnings all talk about "Reported" attack sites and forgeries, because all we are asserting is that reports have been filed. It's why we have an ignore this warning button, and a "why was this site blocked" button to give more information. It's why, if a user does click the "Why was this site blocked?" on a phishing page, to express actual interest in learning more, they are taken to our FAQ which has language like: "These attacks can be very difficult to detect; even a site that looks safe may be secretly trying to attack you. Attackers will often hack a site to turn it into an Attack Site, and sometimes the Web site's owner won't even know that this has happened." So. Our principal obligation, bar none, is to protect our users. It may seem innocuous or even noble to add more nuance to our warning messages, but it has the opposite of the intended effect - it causes them to be *less* effective. The language in those warnings has been wordsmithed to within an inch of its life to be as effective as possible at its primary task: informing users about a risk we're aware of that they likely are not. I'm not WONTFIXING this bug immediately because it's going to take me a while to think about whether there is any way to improve the wording without adding to it. But the idea of adding another sentence is not one I'm likely to accept - I know it's counter-intuitive, but that will hurt our users more than it helps. In the meantime, if you haven't done so already, I suggest following the instructions in the "Why was this blocked" FAQ to get your site removed from the list, and working with your site admins on securing it against further attacks. I know you feel victimized, but the reason that your site is being blocked is that, in the recent past, it was defrauding users into disclosing their personal information and potentially suffering serious financial or psychological harm. We're not going to soften our warnings, there.
Wontfixing per comment 2.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.